Smart Marine Consultant (2/4): The Full Map — How Smart/Cyber Ship Projects Actually Get Built
Why the Full Map Matters
In Part 1, I described what a Smart Marine Consultant does: translation between the world of ships and the world of technology, with cybersecurity running through everything.
But translation without a map is just noise.
To work effectively in this space, you need to understand the full lifecycle of a smart ship project — not as a theoretical framework, but as a sequence of real decisions, real deadlines, and real consequences. You need to know where cybersecurity enters the picture, where it gets pushed aside, and where the damage from that delay shows up later.
This is that map.
The Five Stages of a Smart Ship Project
This is where everything that matters gets decided, and where most cybersecurity work is still absent.
The shipowner and shipyard sign the shipbuilding contract. The basic design begins — hull form, propulsion, major systems. At this stage, the key cybersecurity questions are:
Has the shipowner defined a Cybersecurity Requirements Specification (CRS)?
Has the shipyard identified who will serve as the CRSI (Cyber Resilience System Integrator)?
Has the class society been engaged on E26/E27 survey requirements?
In practice, the answer to all three is usually: not yet.
The commercial pressure at contract signing is enormous. Delivery schedules, steel prices, equipment lead times — cybersecurity feels abstract by comparison. Once the basic design is approved, changing the security zone architecture costs real money. Getting it right at Stage 1 costs almost nothing.
This is where the Computer-Based System (CBS) inventory gets built — the master list of every digital system on the vessel that falls under IACS UR E26 scope.
ECDIS. Radar. Propulsion control. Ballast water management. VSAT. Engine monitoring. Power management. The list runs to dozens of systems on a modern vessel, each with its own vendor, its own software version, its own update cycle, and its own network connection.
The security zone diagram — which defines how these systems are grouped, isolated, and connected — must be completed at this stage. So must the initial Vessel Cyber Security Plan (VCSP).
The CBS inventory is often incomplete because equipment suppliers haven't confirmed their system specifications yet. The security zone diagram gets drawn based on assumptions that will later be wrong. The VCSP becomes a document that describes what the ship is supposed to look like, not what it will actually be. A Smart Marine Consultant's role here is to challenge those assumptions early, and to build a review process that catches the delta before it becomes a compliance gap at survey.
Every equipment supplier delivering a Computer-Based System must comply with IACS UR E27. That means:
Providing cybersecurity documentation for their system
Confirming software update and patch management procedures
Confirming remote access controls
In many cases, obtaining Type Approval from the class society
This is where the supply chain reality of maritime cybersecurity becomes visible. A shipyard might have 40 or 50 CBS suppliers on a single vessel. Each one is at a different level of E27 readiness.
Procurement teams negotiate price and delivery. Cybersecurity documentation gets treated as an afterthought — "we'll get it before delivery." Suppliers promise compliance without understanding what it means. The CRSI is left chasing documentation from 40 different vendors in the final months before commissioning. A Smart Marine Consultant working at this stage helps build a supplier qualification framework embedded into procurement, not appended to it.
Steel is cut. Systems are installed. The ship takes physical form.
This is where the gap between the security zone diagram and reality becomes visible. The network cable that was supposed to connect System A to Zone 1 gets run to Zone 2 because it was shorter. The remote access terminal that wasn't in the original design gets added because the engine manufacturer requires it for warranty support. The software version installed is three releases behind because the supplier shipped early.
Every one of these changes is a potential E26 nonconformity. Every one of them needs to be tracked, assessed, and either accepted with justification or corrected before survey.
Changes accumulate without a formal change management process. The VCSP becomes outdated. The CBS inventory drifts from reality. By the time commissioning approaches, the gap between documentation and ship is wide enough to create serious survey risk. A Smart Marine Consultant at this stage maintains the living documentation — the CBS inventory and security zone diagram that reflect what the ship actually is, not what it was designed to be.
The vessel undergoes sea trials. The class surveyor conducts the initial cyber survey. The ship is delivered to the shipowner, along with the complete cybersecurity documentation package.
This is where everything that was deferred, assumed, or undocumented arrives at the same time.
The surveyor asks to see the VCSP. It reflects the design, not the ship. The CBS inventory has gaps. The supplier documentation for three systems is missing. The software versions on six systems don't match the approved configurations.
None of these are unfixable — but fixing them under delivery pressure, with the shipowner watching the clock, is expensive and stressful in ways that Stage 1 work is not.
The full set of cybersecurity documents that transfers from shipyard to shipowner is what the ship will be audited against for the rest of its operational life. Getting it right at delivery matters not just for the initial survey, but for every Annual Survey that follows.
Where Cybersecurity Actually Fits
The common misconception is that cybersecurity is a Stage 4 or Stage 5 activity — something you install near the end, like the paint.
The reality is that cybersecurity is a Stage 1 through Stage 5 continuous process, with the most critical decisions happening before most people have started thinking about it.
| Stage | Cyber Work That Must Happen | What Gets Missed |
|---|---|---|
| 1. Contract | CRS defined, CRSI identified, class engaged | Usually everything |
| 2. Design | CBS inventory, zone diagram, VCSP draft | Gaps from unconfirmed suppliers |
| 3. Procurement | E27 supplier qualification, TA verification | Documentation deferred |
| 4. Construction | Change management, living documentation | Drift between design and ship |
| 5. Delivery | Survey readiness, handover package | Everything that was deferred |
The One Thing That Changes Everything
If there is a single intervention that improves smart ship cybersecurity outcomes more than any other, it is this:
Assign the CRSI role at contract signing, not at commissioning.
The CRSI — the Cyber Resilience System Integrator defined in IACS UR E26 — is responsible for integrating, verifying, and coordinating cybersecurity across all systems. But in practice, this role is often filled late, by someone without the authority or the context to influence the decisions that have already been made.
A CRSI engaged from Stage 1 can shape the security zone architecture before it's frozen. They can build the supplier qualification framework before procurement begins. They can maintain the living documentation throughout construction. They can walk into the commissioning survey with evidence that was built over two years, not assembled over two weeks.
That is what a working system looks like.
Smart ship cybersecurity is a Stage 1–5 continuous process. The most critical decisions happen before steel is cut.
Each stage has specific cyber work that must happen — and predictable failure modes when it doesn't.
Supplier documentation failures at Stage 3 compound into survey risk at Stage 5 — the cost of deferral is never zero.
The single highest-leverage intervention: assign the CRSI at contract signing, not commissioning.
Comments
Post a Comment